My fellow CISSP and author Walter JonÂ Williams observed that
Paranoia is not a part of any mindset. It is an illness.
Ah, Walter the literalist!
Yes I agree with what you say but look at it this way
“We’re paid to be paranoid” doesn’t mean we’re ill.
It’s a job.
Now if your job is an obsession, one you take home with you and it interferes with your family life, that you can’t let go, then its an illness whatever it is.
“We’re paid to be paranoid”
Its a job. You don’t pay us Information Security Professionals to be pollyannas, to have a relaxed attitude.
Many of us come from a military or law enforcement background, some having served at the sharp edge of confrontations. The sharp edge isn’t always the “mud and guns”, sometimes its watching a screen or sifting
through intelligence reports or forensics or after action reports or …
But if you don’t have (a) a suspicious mind and (b) 20-20 peripheral vision about threats and contingencies and (c) a complete lack of silo-ization, then you can’t be doing a good job in those roles.
Perhaps there are “pen testers” who know everything about breaking in to a network. Ranum and others have written on why such people are not really “security professionals”: part of that is their silo mind-set.
We see similar rants about “jumped-up system administrators”.
Many of us here are engineers or have an engineering background or education. Engineers, I’ve found, often operate on the expectation that things *will* go wrong, stuff *will* break, it *won’t* perform to manufacturers specs. Not all of that is experience, a good part is education since they are tight how to build indefinitely reliable stuff
out of unreliable parts – given the budget and opportunity. And if Engineers are sceptical about anything, its Budget.
So when it comes down to a quick description of this “suspicious” mindset, one that is not confined to a narrow silo but covers all the domains of the CBK and possibly more (perhaps you too read Risks Digest and GrandPaRob’s book reviews, one that would qualify you for various TLA organizations of which we choose to discuss only in unfavourable terms, _what_ word or phrase are you going to use?
I agree, Walt, the definition of ‘PPD’ in DSM-IV is unpleasant and not one that I would like to be applied to me:
Paranoid Personality Disorder
A pervasive distrust and suspiciousness of others such that their
motives are interpreted as malevolent, beginning by early adult-
hood and present in a variety of contexts, as indicated by four (or
more) of the following:
- Suspects, *without sufficient basis*, that others are exploiting, harming, or deceiving him or her.
- Is preoccupied with *unjustified doubts* about the loyalty or trustworthiness of friends or associates.
- Is reluctant to confide in others because of *unwarranted* fear that the information will be used maliciously against him or her.
- Reads hidden demeaning or threatening meanings into benign remarks or events.
- *persistently bears grudges* (i.e., is unforgiving of insults, injuries, or slights).
- Â Perceives attacks on his or her character or reputation that are not apparent to others and is quick to react angrily or to counter-attack.
- Has recurrent suspicions, *without justification*, regarding fidelity of spouse or sexual partner
In our profession we have evidence from the past that hackers and extortionists do use information against companies, so our fears are not unwarranted.Â We do have justifications for our suspicions, we only need to inspect our logs!Â We do have reasons to suspect that our colleagues are, intentionally or inadvertently, leaking information that can be used by adversaries.
I’d note on reading the above that if that definition were to be applied to a nation state or its security apparatus then many countries of the Western World and quite a few of the ones in the Eastern World can be clinically diagnosed as being ‘paranoid’.
That page I reference goes on to define ‘Schizoid Personality Disorder‘.
The ‘solitary’ and the ‘religious’ parts seem contradictory, but one wonders.
The point I think is key to what you say, Walter, we need a better way and yes what we are doing is Risk Analysis. I think that Risk – the probabilistic aspect – is important and differentiates from the think-tank prophets of doom,
even though the latter grab headlines and produce responses from politicians – vis Global Warming and many such in the past.
Good managers understand risk.
Perhaps this is why the ISO-31000 people talk of ‘risk’ in terms of uncertainty and allow for an upside. They see a risk of winning a lottery.
The “paid to be paranoid” view is important. A lot of the time in my career I’ve been paid not to be paranoid but to find controls and opportunities. Perhaps this is the ISO-3100 aspect.
That being said, I think the ISO-31000 people have twisted the language a fair bit and become obsessional in their won way. You don’t insure against success. Much of our culture is really about controls and safety nets. That doesn’t – shouldn’t – destroy hope and progress.
In my DatabaseOfDotSigQuotes is this
If a better system is thine, impart it;
if not, make use of mine.
The phrase “Paid to be paranoid” is succinct and catchy — and no that doesn’t mean your objections are wrong, Walt. But not everyone lives & dies by DSM-IV. And yes I agree with the rest of you post about what we should be projecting as an image.
But can you or anyone else come up with something better, something still succinct and still catchy?
I’d be glad to hear it an make use of it.